Chinese Go Board

China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime

[Originally published as a Feature Article: China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime, by Carolyn K. Luong, in Orange County Lawyer Magazine, April 2020, Vol. 62 No.4, page 31.]

By Carolyn Luong

U.S.-China relations have been a trending topic throughout the past year due to several conflicts involving the alleged encroachment upon free speech principles and perceived threats to U.S. national security. The NBA and Activision-Blizzard, both U.S.-based organizations, fielded criticisms in October of 2019 for supposed political censorship motivated by the fear of losing Chinese customers. Furthermore, as the U.S. races to build out its 5G infrastructure, the U.S. government has explicitly restricted U.S. corporations from conducting business with Chinese technology manufacturer Huawei upon apprehension that Huawei equipment may contain backdoors to enable surveillance by the Chinese government.[1]

Dr. Christopher Ford, Assistant Secretary of the U.S. State Department’s Bureau of International Security and Nonproliferation remarked in September that, “Firms such as Huawei, Tencent, ZTE, Alibaba, and Baidu have no meaningful ability to tell the Chinese Communist Party ‘no’ if officials decide to ask for their assistance—e.g., in the form of access to foreign technologies, access to foreign networks, useful information about foreign commercial counterparties . . . .”[2] These Chinese firms in response firmly deny any allegations of contemplated or actual instances of required cooperation with the Chinese government to compromise user information or equipment.

Continue Reading China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime
Lock on a computer screen held to edges by chains

What Is Happening in Children’s Online Privacy?

Children’s online privacy has always been an important topic, but a number of recent developments around the world have many businesses taking it more seriously. In September, Google agreed to pay a record $170 million fine to the U.S. Federal Trade Commission for violating the Children’s Online Privacy Protection Act (COPPA) by illegally collecting personal information from children without parental consent and using it to profit through targeted ads. A few weeks later, China’s own version of COPPA called the “Measures on Online Protection of Children’s Personal Data,” came into force, providing further clarity on protecting children’s personal data online under China’s Cyber Security Law. On October 7, the FTC hosted a public workshop to explore whether to update COPPA, which is over 20 years old and in need of a refresh due to the emergence of new technologies. (Just think of all those smart devices, social media platforms and educational apps and technologies that were not around in 1998). Finally, the California Attorney General recently released proposed regulations to the California Consumer Protection Act, which goes into effect in January 2020, that would require a business that knowingly collects the personal information of children under the age of 13 to establish, document and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child.

Many children start using the Internet at an early age, raising privacy issues distinct from those for adults. First, children may not understand what data is being collected about them and how it is used. Second, children can easily fall victim to criminal behavior online by providing seemingly innocuous information to web users who can appropriate such information for malicious purposes. Third, children cannot give the same meaningful consent to data collection and use activities as an adult. 

In the U.S., Congress passed COPPA in 1998 to protect children’s use of the Internet—particularly websites and services targeted toward children. COPPA requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to the website privacy policy on every web page where personal information is collected. It also requires affirmative consent by parents prior to collection of personal information for children under the age of 13. Recognizing that teenagers between the ages of 13 and 18 are not protected under COPPA, many individual states have made efforts to address privacy issues for this age group.

Recognizing the need to update COPPA to keep up with the times, the FTC considered the following topics at the October workshop, among others:

  • How the development of new technologies, the evolving nature of privacy harms, and changes in the way parents and children use websites and online services, affect children’s privacy today;
  • Whether COPPA should permit general audience platforms to rebut the presumption that all users of child-directed content are children, and if so, under what circumstances;
  • Whether COPPA should be amended to better address websites and online services that do not include traditionally child-oriented activities, but that have large numbers of child users.

It remains unclear how these issues and others will be resolved. Eager to tap into the new revenue streams that children represent, many tech companies will try to carve out exceptions to COPPA—openly or not. On the other side, child advocates and politicians such as Senator Edward Markey, one of the original authors of COPPA, are pushing back and even trying to tighten restrictions related to children’s online privacy. 

Sometimes the issues are not so black and white. For instance, many well-intentioned companies—tech and otherwise—that have no interest in marketing to children might still be unable to verify the age of users that visit their websites, resulting in inadvertent marketing to minors. Even those that attempt to verify the age of users may face challenges, given the thousands of websites dedicated to helping users bypass age gates and parental controls. Finally, some age verification techniques may run counter to data minimization and privacy concerns – e.g. the collection of credit card data to verify age, when it is not necessary for the provision of the service. Regardless of what happens with COPPA at the FTC and with new privacy laws that are springing up across the world, companies will need to be extra-cautious about how they approach children’s online privacy—continually reviewing their practices and policies to ensure that they are not running afoul of the multitude of laws and regulations out there. Those that do not run the risk of becoming subject to both regulatory and legal action.

Postal Customer Council Flyer - Data Protection Lunch and Learn on November 14

Metaverse Law to Speak at Postal Customer Council Lunch and Learn

Metaverse Law will be giving a zip talk and participating in a Q&A panel on Thursday, November 14 at the Phoenix Club in Anaheim, CA about Data Protection and Cyber Security.

The event itinerary includes registration at 11:00AM – 11:45AM, followed by lunch and a seminar which conclude at 1:30PM.

Registration details can be found at http://www.socalpcc.org/lock-it-or-lose-it.html.

Lock in "cyber security" word circle and other dot circles

Cybersecurity Ignorance is No Excuse for Tax Professionals

Image Credit: Pete Linforth from Pixabay

Co-authored with Lily Li and Kenny Kang. Mr. Kang is a Certified Public Accountant (CPA), Charted Global Management Accountant (CGMA), and Certified Fraud Examiner (CFE) with a wealth of experience in public accounting and industry.

CPAs and other tax professionals collect their client’s crown jewels: sensitive financial data. This makes them prime targets for cybercriminals. For hackers looking to make a quick buck, or engage in more sophisticated identity theft and tax fraud schemes, tax professionals are a treasure trove of social security numbers, tax ID numbers, bank account numbers, confidential agreements, and other personally identifiable information. Consequently, 3-5 tax practitioners get hacked each week, according to a 2017 webcast by the IRS criminal investigations unit – a number that has likely increased over the last couple of years.

In July 2019, IRS released its own statistics relating to identity theft:

IRS Individual Filing Article “Identity Theft Information for Tax Professionals”

[Page Last Reviewed or Updated: 24-Jul-2019]

An estimated 91 percent of all data breaches and cyberattacks begin with a spear phishing email that targets an individual. The criminal poses as a trusted source, perhaps IRS e-Services, a tax software company or a cloud-storage provider, or the criminal poses as a potential client or professional colleague. The objective is to get the tax professional to open a link or PDF attachment. This allows the thief to steal passwords or download malware that tracks keystrokes or gives the thief control of your computer. 

In light of the rise in cyberattacks against tax practitioners, the IRS has taken notice. For this year’s PTIN renewal season, the IRS has revised Form W-12, IRS Paid Preparer Tax Identification Number (PTIN) (Rev. October 2019) by adding Line 11, which included a mandatory checkbox for tax preparers, requiring them to confirm their awareness of their data security responsibilities. Line 11, Data Security Responsibilities, states:

 As a paid tax return preparer, I am aware of my legal obligation to have a data security plan and to provide data and system security protections for all taxpayer information.  Check the box to confirm you are aware of this responsibility.

This affirmative checkbox applies to licensed tax attorneys, CPAs, enrolled agents, enrolled actuaries, enrolled retirement plan agents, state regulated tax return preparers, certifying acceptance agents, and it should not come as a surprise for tax professionals.

As early as 2008, the IRS released Publication 4557 “Safeguarding Taxpayer Data” under the federal security requirements of the Graham-Leach Bliley Act of 1999 (GLBA). In 2018, the IRS updated Publication 4557 in recognition of the growing crisis of tax preparer data breaches.

In an IRS news release (IR-2018-175, Aug. 28, 2018), the IRS noted that “protecting taxpayer information isn’t just good for the clients and good for business – it’s also the law…tax return preparers must create and enact security plans to protect client data.”

Furthermore, over the 2019 summer, the IRS published a series of news releases: “Tax Security 2.0 – A “Taxes-Security-Together” Checklist” [IR-2019-122, IR-2019-127, IR-2019-131, IR-2019-136, IR-2019-140, IR-2019-143] for tax practitioners to consider as a starting point for analyzing data security. 

IRS, states and industry outline ‘Security Six’ protections to help tax professionals and taxpayers be safer online

IR-2019-127, July 16, 2019

WASHINGTON — Using a new “Taxes-Security-Together” Checklist, the Internal Revenue Service and the Security Summit partners urged tax professionals to review critical security steps to ensure they are fully protecting their computers and email as well as safeguarding sensitive taxpayer data.

The Security Summit partners – the IRS, states and tax industry – urge tax professionals to take time this summer to give their data safeguards a thorough review. To help the tax community, the Summit created a “Taxes-Security-Together” Checklist as a starting point for analyzing office data security.

By failing to enact security plans, and violating the FTC Safeguards Rule (the implementing regulation for the GLBA), the IRS noted this could result in a:

Violation of IRS Publication 3112: Safeguarding of IRS e-file from fraud and abuse is the shared responsibility of the IRS and Authorized IRS e-file Providers.

Violation of IRC, Section 7216: Criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures.

Violation of IRC, Section 6713 – This provision imposes monetary penalties on the unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns.

Violation of Rev. Proc. 2007-40 – This procedure specifies that violations of the GLB Act and the implementing rules and regulations put into effect by the FTC, as well as violations of non-disclosure rules addressed in IRC sections 6713 and 7216, are considered violations of Revenue Procedure 2007-40. These violations are subject to penalties or sanctions specified in the Revenue Procedure. (See 2007-26)

Now, with an affirmative checkbox, tax professionals cannot claim ignorance of the rules. Instead, they will now have to make a representation of their security compliance. Since Form W-12 is signed under penalty of perjury, making false or misleading information may result in criminal penalties and/or the denial or termination of a PTIN. 

So where should tax professionals start? First of all, the IRS has provided handy resources for tax preparers to understand the FTC Safeguards Rule and their obligations (see links below). Second, per these resources, tax professionals should conduct security risk assessments of their systems (potentially in conjunction with counsel) to mitigate current risks. Third, and finally, stay alert! As hackers get more sophisticated, risks change, and it is up to the tax professional to stay updated on the latest cyber risks or seek the assistance of third parties to manage these ongoing risks.

Publication 4557, Safeguarding Taxpayer Data

Publication 5293, Data Security Resource Guide for Tax Professionals

Identity Theft Information for Tax Professionals

*Disclaimer* This article is not legal advice or legal opinion, and the contents are intended for general informational purposes only. Circumstances may differ from situation to situation. All legal and other issues must be independently researched.

******

******

Gold gavel on platform

California Attorney General Releases Proposed CCPA Regulations

Image Credit: 3D Animation Production Company from Pixabay

California Attorney Xavier Becerra unveiled highly-awaited regulations on October 10, 2019 to enforce the California Consumer Privacy Act, a sweeping new privacy law set to take effect on January 1, 2020.

The text of the CCPA proposed regulation is available here. As a few highlights, the proposed regulation:

  • Defines “categories of sources” and “categories of third parties” to include consumer data resellers, among other types of entities. This shows the Attorney General’s increased scrutiny on data brokers.
  • Requires privacy notices to “[b]e accessible to consumers with disabilities” and “[a]t a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.” This is consistent with recent trends towards ADA website compliance.
  • Requires businesses to either (1) notify consumers of the sale of their data, if they collected the data from third party sources, or (2) confirm or receive signed attestations from the source describing how they provided a notice of collection.
  • Requires greater offline rights to notice and opt-outs of sale, for businesses that substantially interact with consumers offline.
  • Contemplates a button or logo opt-out in a modified version of the regulation.
  • Recognizes the security risks of providing specific pieces of information in response to a request, with requirements around verification of identity and security of transmission.

Individuals and businesses interested in shaping the final CCPA regulations can attend public hearings or send comments by mail or email to the following:

  • Email: PrivacyRegulations@doj.ca.gov
  • Privacy Regulations Coordinator
    California Office of the Attorney General
    300 South Spring Street, First Floor
    Los Angeles, CA 90013

The public hearing dates and locations are as follows:

Public Hearing DatesLocations
Sacramento
December 2, 2019
10:00 a.m.
CalEPA Building
Coastal Room, 2nd Floor
1001 I Street
Sacramento, CA 95814
Los Angeles
December 3, 2019
10:00 a.m.
Ronald Reagan Building
Auditorium, 1st Floor
300 S. Spring Street
Los Angeles, CA 90013
San Francisco
December 4, 2019
10:00 a.m.
Milton Marks Conference Center
Lower Level
455 Golden Gate Ave.
San Francisco, CA 94102
Fresno
December 5, 2019
10:00 a.m.
Fresno Hugh Burns Building
Assembly Room #1036
2550 Mariposa Mall
Fresno, CA 93721

More information about the public hearings and proposed CCPA regulation is available on the Attorney General’s CCPA website.

1 2 3 4